Calling all developers, programmers and security researchers…
This is your chance to help build the safest crypto trading platform in the world and earn major rewards for doing so.
Our new bug bounty programme will reward you for the responsible disclosure of security issues and vulnerabilities, provided they meet our criteria.
This is a key part of our efforts to build a community-driven DeFi hub and continually upgrade our security protection, as the range and possibilities of our exchange increase.
How are the rewards categorised?
When you submit your bug, our internal security team will analyse the impact.
Based on this analysis, we will assign the bug a specific category. Each category carries its own corresponding bounty.
- No impct – $0
- Low – $30-50
- Medium – $500-5,000
- High – $5,000-30,000
- Critical – $30,000 +
Note: We have not set a maximum reward for the reporting of security vulnerabilities and may increase the value of rewards based on the severity of the vulnerability discovered.
How is each bug analysed?
We use a system based on the Common Vulnerability Scoring System (CVSS), a free and open industry standard for assessing security breaches, to analyse each individual bug reported to us.
Our analysis takes a number of factors into account, including:
- How exploitable and complex the vulnerability is.
- The privilege required to be successful (create the security breach).
- The degree of user interactivity required.
In addition, the impact or risk posed by a vulnerability is assessed based on the scope of a potential attack and whether it would constitute a breach of confidentiality, integrity or availability of our systems.
How to report a bug: our guidelines
To maximise the benefits of the bug bounty programme and ensure that reporters behave responsibly, we have created a list of guidelines.
Anyone who wishes to report a bug must:
- Make a good faith effort to avoid accessing sensitive data, destroying data or degrading our systems.
- Only submit each issue once (multiple submissions are only encouraged when multiple issues are discovered).
- Avoid using scanners or automated tools to find vulnerabilities (these will likely lead to a ban on the reporter’s IP address).
Reporters must not:
- Engage in Denial of Service attacks.
- Exploit any discovered vulnerability in any way, including by making it public.
- Publicly disclose any vulnerabilities if they have not yet been resolved or the reporter has not received our explicit consent.
- Attempt non-technical attacks, such as phishing or social engineering, against our employees, users or infrastructure.
A further note. Should we receive duplicate reports of a specific vulnerability, only the first report is eligible for a reward.
What is the scope of the bug bounty programme?
The following elements are considered to be within the scope for the programme:
- rhino.fi
- app.rhino.fi
- api.rhino.fi
- https://github.com/DeversiFi/dvf-client-js
Other areas including (but not limited to) the following are considered out of scope.
- *.rhino.fi (unless otherwise stated in scope)
- Social engineering, phishing etc against our employees, users, or infrastructure
We do not reward bounties for vulnerabilities found in third-party services. Please report these issues directly to the relevant service.
How to disclose
When disclosing security breaches, please use the following address:
We will review all submissions in detail and follow up directly with you as part of the review process. Please endeavour to keep lines of communication open as we may need to request additional information.
Once we have determined that you have found an eligible security issue and classified it, we will give you recognition for your work (if you desire), set a date for when information may be publicly disclosed and allow you to claim your bounty reward.
Please include a valid Proof-of-Concept along with the disclosure. Qualification for rewards will be decided based on reproducibility and severity of the vulnerability, and the reward amount may be reduced significantly without an illustrative PoC.